If you like PowerShell and have been looking at the ‘Request-CsCertificate’ TechNet site, you’ll notice that it doesn’t say anything about requesting an OAuth certificate anywhere on there. (neither does it mention OAuth on Set-CsCertificate page). And it seems nobody is brave enough to talk about certificate in any detail without using the GUI. (to be fair, I’ve not looked that hard).
I would have thought that OAuth would have been listed on TechNet along with the other types, considering that every single deployment would have one, but I guess it’s only done once.
http://technet.microsoft.com/en-us/library/gg425723.aspx shows the following, it does hint that it “includes, but are not limited to, the following”.. No sign of OAuth.
But you can use
-Type OAuth as follows…
1 |
Request-CsCertificate -New -Type OAuth -CA "fqdn-of-dc\CA-Name" -FriendlyName "Lync OAuth Certificate" -KeySize 2048 -PrivateKeyExportable $true -Organization "My Lab" -OU "IT" -State "West Midlands" -Country "GB" |
My above example is sent to an online Certificate Authority, and outputs…
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
Issued thumbprint "C8E47DE9B3A5E4F8DD8F873148BCDC524647A6E9" for use "OAuthTokenIssuer" by "fqdn\ca-name". Issuer : CN=ca-name, DC=domain, DC=internal NotAfter : 06/11/2015 15:33:42 NotBefore : 06/11/2013 15:33:42 SerialNumber : 2100000005ACE51F7DFDC2C543000000000003 Subject : CN=fqdn.co.uk, OU=IT, O=My Lab, S=West Midlands, C=GB AlternativeNames : {} Thumbprint : C8E47DE9B3A5E4F8DD8F873148BCDC524647A6E9 EffectiveDate : PreviousThumbprint : UpdateTime : Use : OAuthTokenIssuer SourceScope : |
Instead of specifying -CA you can put -Output certificate.req which will generate a Base64 encoded certificate request which you can send to your offline CA to get issued.
Once you have the certificate, you can use the normal commands to assign that certificate to OAuth.
1 |
Set-CsCertificate -Identity Global -Type OAuth -Thumbprint C8E47DE9B3A5E4F8DD8F873148BCDC524647A6E9 |
1 2 |
The following certificate was assigned for the type "OAuthTokenIssuer": OAuthTokenIssuer: C8E47DE9B3A5E4F8DD8F873148BCDC524647A6E9 domain.local 11/06/2015 CN=ca-name, DC=domain, DC=local 2100000005ACE51F7DFDC2C543000000000003 |
And the usual commands to quickly confirm.
1 |
Get-CsCertificate | fl Use, Thumbprint |
1 2 |
Use : OAuthTokenIssuer Thumbprint : C8E47DE9B3A5E4F8DD8F873148BCDC524647A6E9 |
It also seems that both OAuth and OAuthTokenIssuer can be used interchangeably.